# Gerrit configuration for the snix monorepo { depot, pkgs, config, lib, ... }: let cfg = config.services.gerrit; gerritPackage = depot.third_party.nix-gerrit.gerrit_3_11; gerritPlugins = depot.third_party.nix-gerrit.plugins_3_11; besadiiWithConfig = name: pkgs.writeShellScript "besadii-gerrit01" '' export BESADII_CONFIG=/run/agenix/gerrit-besadii-config exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@" ''; gerritHooks = pkgs.runCommand "gerrit-hooks" { } '' mkdir -p $out ln -s ${besadiiWithConfig "change-merged"} $out/change-merged ln -s ${besadiiWithConfig "patchset-created"} $out/patchset-created ''; in { networking.firewall.allowedTCPPorts = [ 29418 ]; services.gerrit = { enable = true; listenAddress = "[::]:4778"; # 4778 - grrt serverId = "b4813230-0b9b-46cb-b400-dcbed70f87e6"; builtinPlugins = [ "download-commands" "hooks" "replication" ]; plugins = with gerritPlugins; [ # TODO: re-enable once we have figured out all the email situation. # code-owners oauth (depot.ops.gerrit-tvl { gerrit = gerritPackage; }) ]; package = gerritPackage; jvmHeapLimit = "4g"; # WARN(raito): keep this synchronized with the Gerrit version! jvmPackage = pkgs.openjdk21_headless; jvmOpts = [ # https://bugs.openjdk.org/browse/JDK-8170568 someday… ! "-Djava.net.preferIPv6Addresses=system" ]; settings = { core.packedGitLimit = "100m"; log.jsonLogging = true; log.textLogging = false; sshd.advertisedAddress = "cl.snix.dev:29418"; hooks.path = "${gerritHooks}"; cache.web_sessions.maxAge = "3 months"; plugins.allowRemoteAdmin = false; change.enableAttentionSet = true; change.enableAssignee = false; # Configures gerrit for being reverse-proxied by nginx as per # https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html gerrit = { canonicalWebUrl = "https://cl.snix.dev"; docUrl = "/Documentation"; }; httpd.listenUrl = "proxy-https://${cfg.listenAddress}"; download.command = [ "checkout" "cherry_pick" "format_patch" "pull" ]; # Configure for cgit. # gitweb = { # type = "custom"; # url = "https://code.snix.dev"; # project = "/"; # revision = "/commit/?id=\${commit}"; # branch = "/log/?h=\${branch}"; # tag = "/tag/?h=\${tag}"; # roottree = "/tree/?h=\${commit}"; # file = "/tree/\${file}?h=\${commit}"; # filehistory = "/log/\${file}?h=\${branch}"; # linkname = "cgit"; # }; # # Auto-link panettone bug links # commentlink.panettone = { # match = "b/(\\d+)"; # link = "https://b.tvl.fyi/issues/$1"; # }; # Auto-link other CLs commentlink.gerrit = { match = "cl/(\\d+)"; link = "https://cl.snix.dev/$1"; }; # Auto-link links to monotonically increasing revisions/commits # commentlink.revision = { # match = "r/(\\d+)"; # link = "https://code.tvl.fyi/commit/?h=refs/r/$1"; # }; # Configures integration with Keycloak, which then integrates with a # variety of backends. auth.type = "OAUTH"; plugin.gerrit-oauth-provider-keycloak-oauth = { root-url = "https://auth.snix.dev/"; realm = "snix-project"; client-id = "gerrit"; # client-secret is set in /var/lib/gerrit/etc/secure.config. }; plugin.code-owners = { # A Code-Review +2 vote is required from a code owner. requiredApproval = "Code-Review+2"; # The OWNERS check can be overriden using an Owners-Override vote. overrideApproval = "Owners-Override+1"; # People implicitly approve their own changes automatically. enableImplicitApprovals = "TRUE"; }; # Allow users to add additional email addresses to their accounts. oauth.allowRegisterNewEmail = true; # Use Gerrit's built-in HTTP passwords, rather than trying to use the # password against the backing OAuth provider. auth.gitBasicAuthPolicy = "HTTP"; # Email sending (emails are relayed via the tazj.in domain's # GSuite currently). # # Note that sendemail.smtpPass is stored in # $site_path/etc/secure.config and is *not* controlled by Nix. # # Receiving email is not currently supported. # sendemail = { # enable = true; # html = false; # connectTimeout = "10sec"; # from = "TVL Code Review "; # includeDiff = true; # smtpEncryption = "none"; # smtpServer = "localhost"; # smtpServerPort = 2525; # }; }; # Replication of the snix repository to secondary machines, for # serving forgejo. replicationSettings = { gerrit.replicateOnStartup = true; # Replicate to our forgejo instance. remote.forgejo = { url = "git@git.snix.dev:snix/snix.git"; push = [ "+refs/heads/*:refs/heads/*" "+refs/tags/*:refs/tags/*" ]; timeout = 30; threads = 3; remoteNameStyle = "dash"; mirror = true; # we are unsure if this should be private info replicatePermissions = false; projects = [ "snix" ]; }; }; }; systemd.services.gerrit = { serviceConfig = { # There seems to be no easy way to get `DynamicUser` to play # well with other services (e.g. by using SupplementaryGroups, # which seem to have no effect) so we force the DynamicUser # setting for the Gerrit service to be disabled and reuse the # existing 'git' user. DynamicUser = lib.mkForce false; User = "git"; Group = "git"; }; }; # Taken from Lix. # Before starting gerrit, we'll want to create a "secure auth" file that contains our secrets. systemd.services.gerrit-keys = { enable = true; before = [ "gerrit.service" ]; wantedBy = [ "gerrit.service" ]; after = [ "network.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "true"; WorkingDirectory = "/var/lib/gerrit"; }; path = [ pkgs.git ]; script = '' CONF=etc/secure.config # Ensure our config file is accessible to gerrit. touch $CONF chmod 600 $CONF # Configure the SSH replication material mkdir -p /var/lib/git/.ssh cp ${config.age.secrets.gerrit-replication-key.path} /var/lib/git/.ssh/id_replication cat > /var/lib/git/.ssh/config <